Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate libxslt vulnerabilities patched in USN-4164-1 #1943

Closed
flavorjones opened this issue Nov 17, 2019 · 4 comments
Closed

Investigate libxslt vulnerabilities patched in USN-4164-1 #1943

flavorjones opened this issue Nov 17, 2019 · 4 comments

Comments

@flavorjones
Copy link
Member

@flavorjones flavorjones commented Nov 17, 2019

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:


Summary (2019-11-17)

These vulnerabilities are patched in libxslt v1.1.34 which is vendored in Nokogiri v1.10.5 and later.

Present in: Nokogiri <= v1.10.4

Advisory: upgrade to Nokogiri v1.10.5 or later


History of this notification:

  • 2019-10-22: USN-4164-1 published by Canonical
  • 2019-10-31: v1.10.5 released as a maintenance update
  • 2019-11-06: email notification to maintainer about the USN
  • 2019-11-17: this github issue created
  • 2019-11-17: analysis, advice, and security noitifcations posted
@flavorjones
Copy link
Member Author

@flavorjones flavorjones commented Nov 17, 2019

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
could allow an attacker to discern whether a byte on the stack contains the
characters A, a, I, i, or 0, or any other character.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

This patch is present in libxslt 1.1.34:

libxslt $ git tag --contains c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
v1.1.34
v1.1.34-rc2
@flavorjones
Copy link
Member Author

@flavorjones flavorjones commented Nov 17, 2019

CVE-2019-13118

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
xsl:number instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal, leading to a read
of uninitialized stack data

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

This patch is present in libxslt 1.1.34:

libxslt $ git tag --contains 6ce8de69330783977dd14f6569419489875fb71b
v1.1.34
v1.1.34-rc2
@flavorjones
Copy link
Member Author

@flavorjones flavorjones commented Nov 17, 2019

CVE-2019-18197

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html

Priority: Medium

Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285

This patch is present in libxslt 1.1.34:

libxslt $ git tag --contains 2232473733b7313d67de8836ea3b29eec6e8e285
v1.1.34
v1.1.34-rc2
@flavorjones
Copy link
Member Author

@flavorjones flavorjones commented Nov 17, 2019

Summary

All three CVEs are patched in libxslt 1.1.34, and so these CVEs are addressed in v1.10.5 courtesy of commit 43a1753

Actions

flavorjones added a commit that referenced this issue Nov 17, 2019
related to #1943
flavorjones added a commit that referenced this issue Nov 17, 2019
related to #1943
primeos added a commit to NixOS/nixpkgs that referenced this issue Nov 17, 2019
This also updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118,
and CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943
primeos added a commit to NixOS/nixpkgs that referenced this issue Nov 17, 2019
This updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118, and
CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943
primeos added a commit to NixOS/nixpkgs that referenced this issue Nov 17, 2019
This updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118, and
CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943
primeos added a commit to primeos/nixpkgs that referenced this issue Nov 17, 2019
This also updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118,
and CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943

(cherry picked from commit 46ed8ed)
primeos added a commit to primeos/nixpkgs that referenced this issue Nov 17, 2019
This updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118, and
CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943

(cherry picked from commit ad13058)
primeos added a commit to primeos/nixpkgs that referenced this issue Nov 17, 2019
This updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118, and
CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943

(cherry picked from commit 55f4feb)
va-bot added a commit to department-of-veterans-affairs/caseflow that referenced this issue Nov 18, 2019
Resolves a security warning:

```
Name: nokogiri
Version: 1.10.4
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5
```

### Description

Upgrades `nokogiri` to 1.10.5, which updates the included `libxml` dependency that contained a couple of vulnerabilities. I wouldn't expect any breakages

See: sparklemotion/nokogiri#1943
adongare added a commit to projecttacoma/cqm-parsers that referenced this issue Nov 19, 2019
roback added a commit to twingly/feedbag.herokuapp.com that referenced this issue Nov 21, 2019
roback added a commit to twingly/feedjira.herokuapp.com that referenced this issue Nov 21, 2019
selzoc pushed a commit to cloudfoundry/cloud_controller_ng that referenced this issue Nov 21, 2019
david-a-wheeler added a commit to coreinfrastructure/best-practices-badge that referenced this issue Nov 21, 2019
This update is due to CVE-2019-13117,
sparklemotion/nokogiri#1943
"Nokogiri gem, via libxslt, is affected by multiple vulnerabilities".

At first blush it doesn't look like these are exploitable in our
applications, but it's hard to be certain of that.
Much better to just upgrade.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
seanpdoyle added a commit to thoughtbot/administrate that referenced this issue Nov 22, 2019
```yaml
Name: nokogiri
Version: 1.10.4
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5
```
senid231 added a commit to senid231/yeti-web that referenced this issue Dec 4, 2019
Name: nokogiri
Version: 1.10.4
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5
senid231 added a commit to senid231/yeti-web that referenced this issue Dec 11, 2019
Name: loofah
Version: 2.2.3
Advisory: CVE-2019-15587
Criticality: Unknown
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: nokogiri
Version: 1.10.4
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: puma
Version: 3.12.1
Advisory: CVE-2019-16770
Criticality: High
URL: GHSA-7xx3-m584-x994
Title: Keepalive thread overload/DoS in puma
Solution: upgrade to ~> 3.12.2, >= 4.3.1
primeos added a commit to primeos/nixpkgs that referenced this issue Dec 19, 2019
This also updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118,
and CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943

(cherry picked from commit 46ed8ed)
primeos added a commit to primeos/nixpkgs that referenced this issue Dec 19, 2019
This updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118, and
CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943

(cherry picked from commit ad13058)
primeos added a commit to primeos/nixpkgs that referenced this issue Dec 19, 2019
This updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118, and
CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943

(cherry picked from commit 55f4feb)
dtzWill added a commit to dtzWill/nixpkgs that referenced this issue Jan 20, 2020
This also updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118,
and CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943

(cherry picked from commit 46ed8ed)
dczulada added a commit to projecttacoma/cqm-parsers that referenced this issue Feb 6, 2020
* Fixed SDC loading to work with newer DRC measures. And cherry-pick work from master. (#39)

* Fixed SDC loading to work with newer DRC measures.
 - Fixed issues with most data criteria getting thrown out.

* Bring over dependabot nokogiri update and the simplexml_parser removal from #30.
[Security] Update nokogiri requirement from ~> 1.8.5 to >= 1.8.5, < 1.11.0
Updates the requirements on [nokogiri](https://github.com/sparklemotion/nokogiri) to permit the latest version.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.8.5...v1.10.3)

* Add the hqmf identifier to a statement reference (#25)

* Port ratio/proportional cv fix from hds and add tests (#48)

* codeListId and hqmfOid are both needed for sdc uniqueness

* Add descriptive error message if model cannot be found

* 2019 standards update (#63)

* 2019 standards update entry point fix (#54)
* fixed gem entry point file to be named properly
* fix issue with loading api uploaded files (#55)
* [Security] Bump nokogiri from 1.10.3 to 1.10.4
* Bump cqm-models version to 3.0.0

* [Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0 (#67)

* [Security] Update rubyzip requirement from ~> 1.2.2 to >= 1.2.2, < 2.1.0

Updates the requirements on [rubyzip](https://github.com/rubyzip/rubyzip) to permit the latest version.
- [Release notes](https://github.com/rubyzip/rubyzip/releases)
- [Changelog](https://github.com/rubyzip/rubyzip/blob/master/Changelog.md)
- [Commits](rubyzip/rubyzip@v1.2.3...v2.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Updated rubyzip dependency to be less than version 2.x, which requires ruby 2.4

* BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages

* BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages

* BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages

* Bonnie-593(ONCJira) test case fix

* BONNIE-593 Bonnie Unresponsive Message and Error Loading Measure Packages
Fixed vulnerability: sparklemotion/nokogiri#1943

* BONNIE-587 Error loading VSAC value sets(ONC jira id)

* Updated version of bonnie_version cqm-parser branch (#71)

* Updated version of bonnie_version cqm-parser branch

* Updated cqm-parser (binnie_viersion branch)

* Remove unnecessary fixtures and re-include test_5_4_CQL_measure_with_drc

Co-authored-by: hossenlopp <hossenlopp@mitre.org>
Co-authored-by: Luke Osborne <luke.w.osborne@gmail.com>
Co-authored-by: dczulada <dczulada@users.noreply.github.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
Co-authored-by: Ashok Dongare <ashok.dongare@semanticbits.com>
dtzWill added a commit to dtzWill/nixpkgs that referenced this issue Feb 29, 2020
This updates Nokogiri to 1.10.5 for CVE-2019-13117, CVE-2019-13118, and
CVE-2019-18197 [0].

[0]: sparklemotion/nokogiri#1943

(cherry picked from commit 55f4feb)
senid231 added a commit to senid231/didww-v3-rails-sample that referenced this issue Feb 10, 2021
Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-15169
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-5267
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: activejob
Version: 5.1.4
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activesupport
Version: 5.1.4
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-16468
Criticality: Medium
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: loofah
Version: 2.1.1
Advisory: CVE-2019-15587
Criticality: Medium
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-26247
Criticality: Low
URL: GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-7595
Criticality: High
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-5477
Criticality: Critical
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: rack
Version: 2.0.8
Advisory: CVE-2020-8161
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to ~> 2.1.3, >= 2.2.0

Name: rack
Version: 2.0.8
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Name: sprockets
Version: 3.7.1
Advisory: CVE-2018-3760
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Title: Path Traversal in Sprockets
Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant